I am started looking at supabase. And was thinking about how to approach the following simplified use case:
A logged in user want to book a trip with a travel insurance. The user must fill in the total travel cost and select an insurance package like bronze, silver or0 gold. Each will use a different percentage to calculate the premium of the insurance.
OnChange of either the travel cost or insurance package I want to calculate the premium via the Supabase backend, and return the premium and show it to the user.
What I am planning to do is to create supabase function âcalculate-premiumâ with id of insurance package and total travel cost as input and call it via the Weweb Rest Api plugin. The function will fetch the premium percentage of the insurance package and calculate Some questions I have are:
Is this the correct approach or is there a better alternative?
How can I prevent unauthorized users calling or executing the âcalculate-premiumâ api endpoint. Can I add authorization check in Supabase, Weweb or both?
Do I need to duplicate the workflow for both OnChange fields (insurance package and travel cost) or can I create a single workflow that can be linked to both fields?
If you wanna go super duper heavy on security, you might need to use Edge Functions | Supabase Docs but would require some coding, that allows you to do auth check as well.
If it is as simple as a calculator, you might want to do it on the WeWeb side (not the safest option, but would save you a lot of work)
It really depends on the requirements about safety you have. Is this just like an informative calculator, or a feature of an app that must be 100% bulletrpoof?
Iâd start with: why do you feel the calculation would need to be executed on the backend.
Supabase edge function api endpoints require an auth token out of the box. You could do a check in both places but only by checking on the backend can you truly verify the user is authenticated.
Iâd create a global workflow with some inputs to accomplish this if you think it can be done from 1 call. It all depends on variables not disclosed here and will be unique to your case.
All the prices/calculations should be done on the backend, if you do them client side, youâre allowing people to interfere with stuff like price youâre gonna charge them etc.
Thatâs exactly the reason why I want to be able to calculate in the backend. I am more familiar with Xano, in which I could create a calculate-premium api endpoint and do the calculation in the function stack, but I am also interested to see how supabase compares to that.
Send only the information needed (choices, not prize) to the backend
Backend will add the price to persist in DB
This is the most secure way and user friendly way to do. Doing the calculation backend for display will still let the user send whatever he wants after.
Here are the variations you can do
Add a function to handle the logic in the backend, and call it from the front (API call) and from the back (DB trigger or function). This is a good way to mutualize your code, and be share that the logic is identical in both case. You still need to rerun it on the function which persist it in backend
You can do the logic in front, send the result in the persist request, check in backend and answer an error if prize is different. This can be a way to be sure that you persist exactly what the user âsawâ in the front.
Concerning implementation, Supabase allow you to have psql function or lamba function. You can expose them via an API endpoint, and also run them on database trigger or other endpoints.